ruby-openid2 3.0.0

data/lib/openid/consumer/associationmanager.rb

@@ -0,0 +1,354 @@
+require_relative "../dh"
+require_relative "../util"
+require_relative "../kvpost"
+require_relative "../cryptutil"
+require_relative "../protocolerror"
+require_relative "../association"
+
+module OpenID
+  class Consumer
+    # A superclass for implementing Diffie-Hellman association sessions.
+    class DiffieHellmanSession
+      class << self
+        attr_reader :session_type,
+          :secret_size,
+          :allowed_assoc_types,
+          :hashfunc
+      end
+
+      def initialize(dh = nil)
+        dh = DiffieHellman.from_defaults if dh.nil?
+        @dh = dh
+      end
+
+      # Return the query parameters for requesting an association
+      # using this Diffie-Hellman association session
+      def get_request
+        args = {"dh_consumer_public" => CryptUtil.num_to_base64(@dh.public)}
+        unless @dh.using_default_values?
+          args["dh_modulus"] = CryptUtil.num_to_base64(@dh.modulus)
+          args["dh_gen"] = CryptUtil.num_to_base64(@dh.generator)
+        end
+
+        args
+      end
+
+      # Process the response from a successful association request and
+      # return the shared secret for this association
+      def extract_secret(response)
+        dh_server_public64 = response.get_arg(
+          OPENID_NS,
+          "dh_server_public",
+          NO_DEFAULT,
+        )
+        enc_mac_key64 = response.get_arg(OPENID_NS, "enc_mac_key", NO_DEFAULT)
+        dh_server_public = CryptUtil.base64_to_num(dh_server_public64)
+        enc_mac_key = Util.from_base64(enc_mac_key64)
+        @dh.xor_secret(
+          self.class.hashfunc,
+          dh_server_public,
+          enc_mac_key,
+        )
+      end
+    end
+
+    # A Diffie-Hellman association session that uses SHA1 as its hash
+    # function
+    class DiffieHellmanSHA1Session < DiffieHellmanSession
+      @session_type = "DH-SHA1"
+      @secret_size = 20
+      @allowed_assoc_types = ["HMAC-SHA1"]
+      @hashfunc = CryptUtil.method(:sha1)
+    end
+
+    # A Diffie-Hellman association session that uses SHA256 as its hash
+    # function
+    class DiffieHellmanSHA256Session < DiffieHellmanSession
+      @session_type = "DH-SHA256"
+      @secret_size = 32
+      @allowed_assoc_types = ["HMAC-SHA256"]
+      @hashfunc = CryptUtil.method(:sha256)
+    end
+
+    # An association session that does not use encryption
+    class NoEncryptionSession
+      class << self
+        attr_reader :session_type, :allowed_assoc_types
+      end
+      @session_type = "no-encryption"
+      @allowed_assoc_types = %w[HMAC-SHA1 HMAC-SHA256]
+
+      def get_request
+        {}
+      end
+
+      def extract_secret(response)
+        mac_key64 = response.get_arg(OPENID_NS, "mac_key", NO_DEFAULT)
+        Util.from_base64(mac_key64)
+      end
+    end
+
+    # An object that manages creating and storing associations for an
+    # OpenID provider endpoint
+    class AssociationManager
+      def self.create_session(session_type)
+        case session_type
+        when "no-encryption"
+          NoEncryptionSession.new
+        when "DH-SHA1"
+          DiffieHellmanSHA1Session.new
+        when "DH-SHA256"
+          DiffieHellmanSHA256Session.new
+        else
+          raise ArgumentError, "Unknown association session type: " \
+            "#{session_type.inspect}"
+        end
+      end
+
+      def initialize(store, server_url, compatibility_mode = false,
+        negotiator = nil)
+        @store = store
+        @server_url = server_url
+        @compatibility_mode = compatibility_mode
+        @negotiator = negotiator || DefaultNegotiator
+      end
+
+      def get_association
+        return if @store.nil?
+
+        assoc = @store.get_association(@server_url)
+        if assoc.nil? || assoc.expires_in <= 0
+          assoc = negotiate_association
+          @store.store_association(@server_url, assoc) unless assoc.nil?
+        end
+
+        assoc
+      end
+
+      def negotiate_association
+        assoc_type, session_type = @negotiator.get_allowed_type
+        begin
+          request_association(assoc_type, session_type)
+        rescue ServerError => e
+          supported_types = extract_supported_association_type(e, assoc_type)
+          unless supported_types.nil?
+            # Attempt to create an association from the assoc_type and
+            # session_type that the server told us it supported.
+            assoc_type, session_type = supported_types
+            begin
+              request_association(assoc_type, session_type)
+            rescue ServerError
+              Util.log("Server #{@server_url} refused its suggested " \
+                "association type: session_type=#{session_type}, " \
+                "assoc_type=#{assoc_type}")
+              nil
+            end
+          end
+        rescue InvalidOpenIDNamespace
+          Util.log("Server #{@server_url} returned a malformed association " \
+            "response.  Falling back to check_id mode for this request.")
+          nil
+        end
+      end
+
+      protected
+
+      def extract_supported_association_type(server_error, assoc_type)
+        # Any error message whose code is not 'unsupported-type' should
+        # be considered a total failure.
+        if server_error.error_code != "unsupported-type" or
+            server_error.message.is_openid1
+          Util.log("Server error when requesting an association from " \
+            "#{@server_url}: #{server_error.error_text}")
+          return
+        end
+
+        # The server didn't like the association/session type that we
+        # sent, and it sent us back a message that might tell us how to
+        # handle it.
+        Util.log("Unsupported association type #{assoc_type}: " \
+          "#{server_error.error_text}")
+
+        # Extract the session_type and assoc_type from the error message
+        assoc_type = server_error.message.get_arg(OPENID_NS, "assoc_type")
+        session_type = server_error.message.get_arg(OPENID_NS, "session_type")
+
+        if assoc_type.nil? or session_type.nil?
+          Util.log("Server #{@server_url} responded with unsupported " \
+            "association session but did not supply a fallback.")
+          nil
+        elsif !@negotiator.allowed?(assoc_type, session_type)
+          Util.log("Server sent unsupported session/association type: " \
+            "session_type=#{session_type}, assoc_type=#{assoc_type}")
+          nil
+        else
+          [assoc_type, session_type]
+        end
+      end
+
+      # Make and process one association request to this endpoint's OP
+      # endpoint URL. Returns an association object or nil if the
+      # association processing failed. Raises ServerError when the
+      # remote OpenID server returns an error.
+      def request_association(assoc_type, session_type)
+        assoc_session, args = create_associate_request(assoc_type, session_type)
+
+        begin
+          response = OpenID.make_kv_post(args, @server_url)
+          extract_association(response, assoc_session)
+        rescue HTTPStatusError => e
+          Util.log("Got HTTP status error when requesting association: #{e}")
+          nil
+        rescue Message::KeyNotFound => e
+          Util.log("Missing required parameter in response from " \
+            "#{@server_url}: #{e}")
+          nil
+        rescue ProtocolError => e
+          Util.log("Protocol error processing response from #{@server_url}: " \
+            "#{e}")
+          nil
+        end
+      end
+
+      # Create an association request for the given assoc_type and
+      # session_type. Returns a pair of the association session object
+      # and the request message that will be sent to the server.
+      def create_associate_request(assoc_type, session_type)
+        assoc_session = self.class.create_session(session_type)
+        args = {
+          "mode" => "associate",
+          "assoc_type" => assoc_type,
+        }
+
+        args["ns"] = OPENID2_NS unless @compatibility_mode
+
+        # Leave out the session type if we're in compatibility mode
+        # *and* it's no-encryption.
+        if !@compatibility_mode ||
+            assoc_session.class.session_type != "no-encryption"
+          args["session_type"] = assoc_session.class.session_type
+        end
+
+        args.merge!(assoc_session.get_request)
+        message = Message.from_openid_args(args)
+        [assoc_session, message]
+      end
+
+      # Given an association response message, extract the OpenID 1.X
+      # session type. Returns the association type for this message
+      #
+      # This function mostly takes care of the 'no-encryption' default
+      # behavior in OpenID 1.
+      #
+      # If the association type is plain-text, this function will
+      # return 'no-encryption'
+      def get_openid1_session_type(assoc_response)
+        # If it's an OpenID 1 message, allow session_type to default
+        # to nil (which signifies "no-encryption")
+        session_type = assoc_response.get_arg(OPENID_NS, "session_type")
+
+        # Handle the differences between no-encryption association
+        # respones in OpenID 1 and 2:
+
+        # no-encryption is not really a valid session type for
+        # OpenID 1, but we'll accept it anyway, while issuing a
+        # warning.
+        if session_type == "no-encryption"
+          Util.log("WARNING: #{@server_url} sent 'no-encryption'" \
+            "for OpenID 1.X")
+
+        # Missing or empty session type is the way to flag a
+        # 'no-encryption' response. Change the session type to
+        # 'no-encryption' so that it can be handled in the same
+        # way as OpenID 2 'no-encryption' respones.
+        elsif session_type == "" || session_type.nil?
+          session_type = "no-encryption"
+        end
+
+        session_type
+      end
+
+      def self.extract_expires_in(message)
+        # expires_in should be a base-10 string.
+        expires_in_str = message.get_arg(OPENID_NS, "expires_in", NO_DEFAULT)
+        raise ProtocolError, "Invalid expires_in field: #{expires_in_str}" unless /\A\d+\Z/.match?(expires_in_str)
+
+        expires_in_str.to_i
+      end
+
+      # Attempt to extract an association from the response, given the
+      # association response message and the established association
+      # session.
+      def extract_association(assoc_response, assoc_session)
+        # Extract the common fields from the response, raising an
+        # exception if they are not found
+        assoc_type = assoc_response.get_arg(
+          OPENID_NS,
+          "assoc_type",
+          NO_DEFAULT,
+        )
+        assoc_handle = assoc_response.get_arg(
+          OPENID_NS,
+          "assoc_handle",
+          NO_DEFAULT,
+        )
+        expires_in = self.class.extract_expires_in(assoc_response)
+
+        # OpenID 1 has funny association session behaviour.
+        session_type = if assoc_response.is_openid1
+          get_openid1_session_type(assoc_response)
+        else
+          assoc_response.get_arg(
+            OPENID2_NS,
+            "session_type",
+            NO_DEFAULT,
+          )
+        end
+
+        # Session type mismatch
+        if assoc_session.class.session_type != session_type
+          if assoc_response.is_openid1 and session_type == "no-encryption"
+            # In OpenID 1, any association request can result in a
+            # 'no-encryption' association response. Setting
+            # assoc_session to a new no-encryption session should
+            # make the rest of this function work properly for
+            # that case.
+            assoc_session = NoEncryptionSession.new
+          else
+            # Any other mismatch, regardless of protocol version
+            # results in the failure of the association session
+            # altogether.
+            raise ProtocolError, "Session type mismatch. Expected " \
+              "#{assoc_session.class.session_type}, got " \
+              "#{session_type}"
+          end
+        end
+
+        # Make sure assoc_type is valid for session_type
+        unless assoc_session.class.allowed_assoc_types.member?(assoc_type)
+          raise ProtocolError, "Unsupported assoc_type for session " \
+            "#{assoc_session.class.session_type} " \
+            "returned: #{assoc_type}"
+        end
+
+        # Delegate to the association session to extract the secret
+        # from the response, however is appropriate for that session
+        # type.
+        begin
+          secret = assoc_session.extract_secret(assoc_response)
+        rescue Message::KeyNotFound, ArgumentError => e
+          raise ProtocolError, "Malformed response for " \
+            "#{assoc_session.class.session_type} " \
+            "session: #{e.message}"
+        end
+
+        Association.from_expires_in(
+          expires_in,
+          assoc_handle,
+          secret,
+          assoc_type,
+        )
+      end
+    end
+  end
+end

data/lib/openid/consumer/checkid_request.rb

@@ -0,0 +1,179 @@
+require_relative "../message"
+require_relative "../util"
+
+module OpenID
+  class Consumer
+    # An object that holds the state necessary for generating an
+    # OpenID authentication request. This object holds the association
+    # with the server and the discovered information with which the
+    # request will be made.
+    #
+    # It is separate from the consumer because you may wish to add
+    # things to the request before sending it on its way to the
+    # server. It also has serialization options that let you encode
+    # the authentication request as a URL or as a form POST.
+    class CheckIDRequest
+      attr_accessor :return_to_args, :message
+      attr_reader :endpoint, :anonymous
+
+      # Users of this library should not create instances of this
+      # class.  Instances of this class are created by the library
+      # when needed.
+      def initialize(assoc, endpoint)
+        @assoc = assoc
+        @endpoint = endpoint
+        @return_to_args = {}
+        @message = Message.new(endpoint.preferred_namespace)
+        @anonymous = false
+      end
+
+      # Set whether this request should be made anonymously. If a
+      # request is anonymous, the identifier will not be sent in the
+      # request. This is only useful if you are making another kind of
+      # request with an extension in this request.
+      #
+      # Anonymous requests are not allowed when the request is made
+      # with OpenID 1.
+      def anonymous=(is_anonymous)
+        if is_anonymous && @message.is_openid1
+          raise ArgumentError, "OpenID1 requests MUST include the " \
+            "identifier in the request"
+        end
+        @anonymous = is_anonymous
+      end
+
+      # Add an object that implements the extension interface for
+      # adding arguments to an OpenID message to this checkid request.
+      #
+      # extension_request: an OpenID::Extension object.
+      def add_extension(extension_request)
+        extension_request.to_message(@message)
+      end
+
+      # Add an extension argument to this OpenID authentication
+      # request. You probably want to use add_extension and the
+      # OpenID::Extension interface.
+      #
+      # Use caution when adding arguments, because they will be
+      # URL-escaped and appended to the redirect URL, which can easily
+      # get quite long.
+      def add_extension_arg(namespace, key, value)
+        @message.set_arg(namespace, key, value)
+      end
+
+      # Produce a OpenID::Message representing this request.
+      #
+      # Not specifying a return_to URL means that the user will not be
+      # returned to the site issuing the request upon its completion.
+      #
+      # If immediate mode is requested, the OpenID provider is to send
+      # back a response immediately, useful for behind-the-scenes
+      # authentication attempts.  Otherwise the OpenID provider may
+      # engage the user before providing a response.  This is the
+      # default case, as the user may need to provide credentials or
+      # approve the request before a positive response can be sent.
+      def get_message(realm, return_to = nil, immediate = false)
+        if !return_to.nil?
+          return_to = Util.append_args(return_to, @return_to_args)
+        elsif immediate
+          raise ArgumentError, '"return_to" is mandatory when using ' \
+            '"checkid_immediate"'
+        elsif @message.is_openid1
+          raise ArgumentError, '"return_to" is mandatory for OpenID 1 ' \
+            "requests"
+        elsif @return_to_args.empty?
+          raise ArgumentError, 'extra "return_to" arguments were specified, ' \
+            "but no return_to was specified"
+        end
+
+        message = @message.copy
+
+        mode = immediate ? "checkid_immediate" : "checkid_setup"
+        message.set_arg(OPENID_NS, "mode", mode)
+
+        realm_key = message.is_openid1 ? "trust_root" : "realm"
+        message.set_arg(OPENID_NS, realm_key, realm)
+
+        message.set_arg(OPENID_NS, "return_to", return_to) unless return_to.nil?
+
+        unless @anonymous
+          if @endpoint.is_op_identifier
+            # This will never happen when we're in OpenID 1
+            # compatibility mode, as long as is_op_identifier()
+            # returns false whenever preferred_namespace returns
+            # OPENID1_NS.
+            claimed_id = request_identity = IDENTIFIER_SELECT
+          else
+            request_identity = @endpoint.get_local_id
+            claimed_id = @endpoint.claimed_id
+          end
+
+          # This is true for both OpenID 1 and 2
+          message.set_arg(OPENID_NS, "identity", request_identity)
+
+          message.set_arg(OPENID2_NS, "claimed_id", claimed_id) if message.is_openid2
+        end
+
+        if @assoc && (message.is_openid1 || !%w[checkid_setup checkid_immediate].include?(mode))
+          message.set_arg(OPENID_NS, "assoc_handle", @assoc.handle)
+          assoc_log_msg = "with assocication #{@assoc.handle}"
+        else
+          assoc_log_msg = "using stateless mode."
+        end
+
+        Util.log("Generated #{mode} request to #{@endpoint.server_url} " \
+          "#{assoc_log_msg}")
+        message
+      end
+
+      # Returns a URL with an encoded OpenID request.
+      #
+      # The resulting URL is the OpenID provider's endpoint URL with
+      # parameters appended as query arguments.  You should redirect
+      # the user agent to this URL.
+      #
+      # OpenID 2.0 endpoints also accept POST requests, see
+      # 'send_redirect?' and 'form_markup'.
+      def redirect_url(realm, return_to = nil, immediate = false)
+        message = get_message(realm, return_to, immediate)
+        message.to_url(@endpoint.server_url)
+      end
+
+      # Get html for a form to submit this request to the IDP.
+      #
+      # form_tag_attrs is a hash of attributes to be added to the form
+      # tag. 'accept-charset' and 'enctype' have defaults that can be
+      # overridden. If a value is supplied for 'action' or 'method',
+      # it will be replaced.
+      def form_markup(realm, return_to = nil, immediate = false,
+        form_tag_attrs = nil)
+        message = get_message(realm, return_to, immediate)
+        message.to_form_markup(@endpoint.server_url, form_tag_attrs)
+      end
+
+      # Get a complete HTML document that autosubmits the request to the IDP
+      # with javascript.  This method wraps form_markup - see that method's
+      # documentation for help with the parameters.
+      def html_markup(realm, return_to = nil, immediate = false,
+        form_tag_attrs = nil)
+        Util.auto_submit_html(form_markup(
+          realm,
+          return_to,
+          immediate,
+          form_tag_attrs,
+        ))
+      end
+
+      # Should this OpenID authentication request be sent as a HTTP
+      # redirect or as a POST (form submission)?
+      #
+      # This takes the same parameters as redirect_url or form_markup
+      def send_redirect?(realm, return_to = nil, immediate = false)
+        return true if @endpoint.compatibility_mode
+
+        url = redirect_url(realm, return_to, immediate)
+        url.length <= OPENID1_URL_LIMIT
+      end
+    end
+  end
+end